Skip to content

Set up permissions to github workflows #680

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
joycebrum opened this issue Feb 27, 2023 · 1 comment
Closed

Set up permissions to github workflows #680

joycebrum opened this issue Feb 27, 2023 · 1 comment
Labels
infrastructure

Comments

@joycebrum
Copy link
Contributor

I have suggested a PR to setuptools repo to harden permissions to the github workflows pypa/setuptools#3833, if that's ok, I also would like to do the same to the packaging repo in order to increase supply-chain security by limiting the impact of an eventual compromised workflow.

Let me know if a PR is also welcome in this repo and I'll submit it ASAP.
@pradyunsg
Copy link
Member

Thanks for flagging! I've set the default permissions in the settings for the repo to read, instead of needing to modify the workflows directly.

If someone is able to compromise/modify the settings of this repo, we're already compromised at that point so I reckon this is good enough! :)

@joycebrum joycebrum mentioned this issue Dec 29, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
infrastructure
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pradyunsg @joycebrum